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Abstract —This paper describes the process of remaining anonymous online and its concurrent operational security 
that has to be performed. It focusses particularly on remaining anonymous while purchasing online goods, resulting 
in anonymously bought items. Different aspects of the operational security process as well as anonymously funding 
with cryptocurrencies are described. Eventually it is shown how to anonymously purchase items and services from the 
hidden web, as well as the delivery. It is shown that, while becoming increasingly difficult, it is still possible to make 
anonymous purchases. Our presented work combines existing best-practices and deliberately avoids untested novel 
approaches when possible. 
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Introduction 

E present a detailed approach to anony¬ 
mously purchase goods and services on¬ 
line. 

As human life shifts towards the world wide 
web, the interest of large Internet companies 
and government agencies in the Internet in¬ 
creases significantly. Remaining anonymous on 
the Internet has ever before been as hard as it is 
today. Every webpage visited, every file down¬ 
loaded, every email or message sent, every 
purchase made, can be traced back and read by 
other parties. This paper describes the methods 
of remaining anonymous on the Internet and 
the concurrently required operations security 
processes. The first section explains the basic 
principles and tools regarding the operations 
security, also known as OPSEC. Thereafter, the 
process of obtaining anonymous bitcoins is de¬ 
scribed and finally the methods of purchasing 
online goods is explained. 

1 Extensive operational security 

Remaining anonymous on the internet is a 
though process. Anonymity cannot be obtained 
through just the usage of certain tools or ser¬ 
vices. It is a process that comes by keeping ev¬ 
ery single asset involved in the anonymous op¬ 
eration, anonymous and minimise the amount 


of incriminating evidence on those assets. Op¬ 
erational security, hereafter OPSEC, plays a 
critical role in remaining anonymous online. 

Anonymity does not work retroactively. At 
the beginning of an anonymous operation, the 
anonymity of all the assets involved have to 
be thought of very carefully. The environment 
that will protect the anonymity has to be set up 
thoroughly, from the beginning. The following 
subsections go into depth on the principles that 
ensure a high level of anonymity. 

1.1 Compartmentation 

One of the key principles of OPSEC is applying 
compartmentation. Compartmentation is the 
limiting of the ability for persons or entities 
to access information needed to perform cer¬ 
tain tasks and isolating information as much 
as possible. In this case it means that all the 
digital evidence and information should be (if 
possible physically) separated from each other 
so that linking pieces of information is hard 
and cannot be used to extend the image of 
the anonymous identity that a person is using. 
Straight forward examples are: 

• Possessing and using different online ac¬ 
counts (i.e. Pacebook or IRC nicknames) to 
sign up for anonymous services online. 
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Fig. 1. Elements of anonymous purchasing process. 


• Using different anonymous (prepaid) 
credit card accounts to make purchases. 

• Removing XMP metadata (that may con¬ 
tain geolocation data) from photo's that 
a person uploads during the operation. 
LulzSec member WOrmer was exposed by 
not removing XMP data from a picture that 
contained geo-location of his girlfriend llTlI . 
which linked to his real identity. 

But compartmentation goes as far as: 

• Using numerous hardware, i.e. mobile 
phones, laptops and CD-R's (USB-devices 
contain microcontrollers that can be re¬ 
programmed into a spying device||8]|), for 
doing different operations or components 
of an operation. 

• Spoofing MAC-addresses that are used to 
identify hardware.[9J 

• Using different physical internet connec¬ 
tions for different parts of an operation, 
i.e. bars, hotels, open or hacked WiFi net¬ 
works. LulzSec hacker Jeremy Hammond 
was caught by identifying his laptop using 
the MAC-address found on his personal 
WiFi networkll9ll. 

• Doing parts of an operation in differ¬ 
ent timezones, including never discussing 
environmental aspects, i.e. weather con¬ 
ditions. Hammond also revealed a large 
amount of profiling information during 
IRC chats, that were used to personally 
identify him.|9J 

• Removing any type of logs, i.e. syslog, chat 
logs from the operating system. 

It should not be possible for an observer of a 
persons online activity to link properties of dif¬ 
ferent compartments to each other. Every step 
or move online has to be advised of not linking 
compartments and extending the online image 
of the real identity. This effect is referred to 
as contamination. To prevent this, the general 
principle 'proactively paranoid' is often used 


in OPSEC. 


1.2 Online identity 

Depending on the kind of operation, the fake 
identity that will be used, has to be as authen¬ 
tic as possible. A layered approach is used, 
meaning that one would create a fake online 
identity and completely compartmentise this 
identity from its real identity. This fake iden¬ 
tity would then be used to create other fake 
identities. It ensures that if one fake identify 
gets compromised, it would not lead to de¬ 
anonymization of the person's real identity, but 
instead just one 'layer' or 'compartment' of the 
identity protection would have been 'peeled 
off'. In practice this means that created email 
addresses point consequently only to the email 
address of its previous 'layer' and not layers 
beneath its previous 'layer'. 

As in other OPSEC practices, avoiding 
contamination and profiling between the 
'wrapped' identities is vital. 


1.3 Linking assets in real life 

The purchase of online goods will in almost 
every case, involve the physical contact of the 
person with entities that may be able to gen¬ 
erate identifying material of the person's real 
identity. In general one should always try, for 
every asset involved, to prevent purchases in 
stores with camera surveillance and, obviously, 
never use electronic payment methods that 
may link to the real identity. 


1.3.1 Purchase of hardware 
In general, purchasing any kind of hardware 
via online marketplaces^^ is good practice (un¬ 
less the hardware is already blacklisted due 
to past usage in compromised operations). 


1. http://marktplaats.nl 

2. https://ebay.com 
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Second hand hardware has reduced tracking 
perspectives which otherwise may lead to the 
de-anonymisation of the person's real iden¬ 
tity. By purchasing hardware in stores, the 
person becomes vulnerable to in-store camera 
systems. To minimise exposure, only purchase 
from small local stores and start to use the 
hardware only a few months after. If unique 
hardware ID's may link to the time and lo¬ 
cation of purchase, the probability that the 
owner of the store has already removed video 
evidence of the moment of purchase, is larger. 
Making purchases in extreme weather condi¬ 
tions and dressing accordingly, may provide 
extra cover without drawing attention, i.e. sun¬ 
glasses/scarf and cap. If hardware is bought 
online, it must never be delivered to the per¬ 
son's address or be paid with electronic pay¬ 
ment systems other than anonymous prepaid 
credit cards and anonymised cryptocurrencies. 
It should be noted that spendings of prepaid 
credit cards are monitoredllOJ. 

1.3.2 Mobile Phones and SIM cards 
Only when usage of mobile phones in an 
operation is mandatory, they should be used. 
Due to easy localisation||4]| and decryption of 
communications0, this medium is considered 
insecure. Mobile phones should be disposable, 
featuring a minimal OS and functionalities, re¬ 
sulting in a reduced attack surface. The phones 
should be used in combination with multiple 
sim cards. Phones that will not be used any¬ 
more should be completely destroyed. While 
phones are not used, the devices should be 
battery unplugged or stored in a leaden box to 
prevent emission of signals, especially when a 
smartphone or WiFi device is used. The phones 
should never be used to make phone calls 
under the real identity of the person. Again, 
compartmentise and avoid contamination of 
those compartments. 

WiFi hotspots may keep logs of devices that 
are in range. Even unconnected WiFi devices 
may be logged at point of operation. This may 
link back to the persons real identity. 

1.4 Secure communication 

Secure communication is one of the most vital 
assets in an operation and if well understood. 


the easiest component to perform correctly in 
an anonymous operation. In general, open- 
source software projects that are end-to-end 
encrypted are used for secure communication. 
The methods described in the following sec¬ 
tions are, as of the moment of writing, ex¬ 
tremely secure, as concluded from N.S.A. doc¬ 
uments from the Snowden-leaks ||T| . 

1.4.1 Email 

One or multiple anonymous email accounts are 
required that do not have personal linked in¬ 
formation in them. Safe-mai^is a provider that 
provides email with minimal personal informa¬ 
tion upon sign-up. Gmail also allows for easy 
sign-up, although is more monitored|ITT| and 
sign-up over Tor requires phone verification. 
This email account will be used together with 
GnuPG encryption of e-mails. Usage of keys 
longer than 4096-bit is important and authenti¬ 
cation tokens to protect the GnuPG private key 
provide an extra layer of security. Descriptive 
subjects should be avoided, as subjects of e- 
mails are not encrypted. 

1.4.2 IM 

For Instant Messaging, a protocol named Off- 
The-Record (OTRlHSlI can be used. This is a 
XMPP-based protocol, that can be used to com¬ 
municate over Jabber services, i.e. securejab- 
ber.me or CCC.de XMPP servic^ Password 
renewal on regular basis is important practice. 
XMPP services that provide self-signed certifi¬ 
cates, signed with their GnuPG private key, 
provide an extra layer of security against PKI 
attacks EJ. 

1.4.3 Voice 

Open Whisper Systems is a group of open- 
source contributors that build end-to-end 
secure communication tools. RedPhone/Signal 
is a smartphone application uses the 
ZRTP protocol to provide end-to-end 
VoIP. Together with TexSecure, it provides 
perhaps the strongest security in mobile 
communications |fT^ . However, it should be 
noted that use of these techniques implicates 
vulnerability for profiling. IITSlI 

3. https://safe-mail.org 

4. jabber.ccc.de 
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1.5 Hardware & Operating System 

The computer used to enter the internet, should 
be as lean and mean as possible so that possi¬ 
bility to store incriminating evidence is min¬ 
imised. This means a laptop should be used 
with, preferably a pre-Intel 94^ no battery 
(easy shut down is necessary), no harddisk, 
WiFi chip, bluetooth, microphone and webcam. 
Try to always use an ethernet connection, that 
as extra fail-safe is routed over a Tor router 
like P.O.R.T.A.Lj3 This ensures that all Internet 
traffic is routed over the Tor network. The 
Tails operating system is designed to refrain 
the system of storing logs and any files and 
by default routes all the traffic automatically 
over Tor. Persistent encrypted storages with 
plausible deniability can be used to store data 
using TrueCrypj^ 

Tor should always be used as it grants a good 
level of anonymity. The anonymity of a VPN 
is only as strong as the provider is willing to 
protect users data against law enforcement. IIT3ll 
VPN's provide privacy of the users data, but 
does not provide anonymity. Therefor, always 
connect to a VPN via Tor, if a VPN is necessary. 

Another method of remaining even more 
anonymous is to route the traffic over a botnet, 
and using one of the infected nodes of fhe 
botnet as exit node43 

2 Funding wallets with anony¬ 
mous BITCOIN 

The currency that provides the most anonymity 
if used well, is Bitcoin. It should be carefully 
noted that all the transactions made are trans¬ 
parent in Bitcoin blockchain. Therefore, it is 
important to add a layer of anonymity. Green 
et al. have shown that it is possible to build this 
into Bitcoin itself and designed ZerocashQ. 
This section explains how to practically ac¬ 
company anonymity between the bitcoin wallet 
and the owner. 

5. "Active Management Technology" is a technology built 
into Intel chipsets after the Intel 945 that allows for remote 
access. 

6. https: / /github.com/grugq/portal 

7. http://istruecryptauditedyet.com 

8. It should be carefully noted that in some countries, this 
method of traffic anonymization may be illegal. 


2.1 Creation of anonymous wallets 

Creation of anonymous wallets can be done 
using multiple methods. Using bitaddress.org a 
user is able to generate a valid Bitcoin wallet. 
This website provides an in-browser method 
using 278 random user input points. However, 
this is by far the most insecure way of creating 
anonymous wallets. It has to be trusted that 
the JavaScript served has not been compro¬ 
mised, either server-side or in transit. Also, 
the browser itself should not be compromised 
when executing the JavaScript. 

More secure methods of wallet creation are 
using self built versions of open source Bifcoin 
wallets Armor)^ or Electrunf^ on an offline 
machine that has never touched the internet 
directly. 

Private Key (Wallet Import Format) 

Bitcoin Address 

SHARE SECRET 

19 kVNFtRAperqlPHWNxud3iEKKvUa? s z2M 

5J7QglJvfr3V243xuKgiCWjl6qLSBmQltxvsks71Casjbjbiz43 

Fig. 2. Bitcoin wallet, consisting our of pub¬ 
lic and private component. Created using 
https://bitaddress.org 

For an extra layer of security, cold storage 
wallets should be used. In this method, the 
private key of fhe wallef is air-gapped from fhe 
online machine that is used to cormect to the 
blockchain. 

2.2 Physical anonymous meetup 

Two methods for funding wallets that in¬ 
volve physical exposure are explained. The 
first method is the most anonymous method, 
if performed correctly. It consist of a physical 
meetup, set up via localbitcoins.com. Buyer 
(using anonymous identity) and seller agree on 
a rendezvous point. The buyer pays the seller 
with cash and the seller transfers fhe agreed 
amount of bitcoins to an anonymous wallet 
on the spot. It is important to ensure that the 

9. https://bitcoinarmory.com 

10. https://electrum.org 
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rendezvous point is safe against robberies, but 
is not monitored by law enforcement, i.e. CCTV 
camera systems. 

2.3 Bank wire using fake identify 

Obtaining a fake identity allows for creation of 
anonymous bank accounts. These accounts can 
then be used to buy bitcoins through services 
like Coinbas^ and Circl^^ Obtaining a fake 
passporf is enough to open a bank account that 
can then be used to fund bitcoin wallets. A fake 
passporf can be bought through the hidden 
web, explained in section 

2.4 Bitcoin mixing 

Bitcoin 'mixing', also known as 'tumbling' or 
'laundering', is the process of anonymising bit- 
coins. This is achieved by randomly moving 
and shuffling small parts of bitcoins to a large 
amount of wallets, with the intention of confus¬ 
ing the trail back to the funds' original source. 
Third parties offer this anonymising service. 
The 'Big Three' mixing services consists of 
BitBlendeij^ Bitcoin Fo^^ and Heli>|^ Other 
derivatives of the mixing protocols exist, i.e. 
SharedCoiif^ and Bitmixeip] are examples of 
employing a slightly different protocol. Some 
mixing services may have a clear web entrance 
as well, but due to possible interception of 
traffic at Tor exit-nodes implying the risk of 
MITM, it is recommended to always use the 
hidden entrance of the service, as the con¬ 
nection is then peer-to-peer encrypted. In this 
project, Bitmixer was used to anonymise bit- 
coins, in which users benefit from the instantly 
available mixed bitcoins. Bitmixer uses a large 
reserve of bitcoins to exchange a user's bitcoins 
with other bitcoins from the FIFO reserve. This 
reserve is assembled from a large amount of 
other transactions to Bitmixer. By using a time 
delay of delivery, multiple delivery wallets 
(also referred to as 'forward addresses'), and 

11. https://www.coinbase.com 

12. https://www.circle.com/en 

13. bitblendervrfkzr.onion 

14. fogcore5n3ov3tui.onion 

15. grams7enufi7jmdl.onion/helix 

16. http://sharedcoin.com 

17. bitmixer2whesjgj.onion 


a custom additional fee, in-out analysis of the 
Bitmixer reserve is prevented. In addition to 
that, Bitmixer uses a private 'bitcode' that iden¬ 
tifies a batch of previously owned bitcoins by a 
user. This ensures that a user will never receive 
its previously owned bitcoins after processing 
by Bitmixer. 





Fig. 3. Bitmixer stash, consisting a persons 
bitcoins (blue) and the anonymised bitcoins re¬ 
turned by Bitmixer. 


3 Purchasing Goods and Ser¬ 
vices 

The purchase of goods and services can be 
either via the clear web or the hidden web, as 
long as ensured that the visit of the websites is 
done using the previously described methods 
and that payment is done using multiple wal¬ 
lets of which the bitcoins themselves are again 
mixed to prevent analysis of purchase patterns. 

The purchase of items on the hidden web 
often establishes via marketplaces on the hid¬ 
den web, called 'Dark Markets'. Popular Dark 
Markets are Agora, Middle Earth Marketplace, 
Outlaw Market and Evolutiorj^^jUlj]. In gen¬ 
eral, marketplaces function as an independent 
'trusted' Man in the Middle for a transaction 
between vendor and buyer. The buyer transfers 
the bitcoins to a wallet maintained by the site. 
The vendor is then 'ensured' that the funds 
are available for purchase. Upon reception of 
of goods by the buyer, the site transfers the 
bitcoins to the vendor. Furthermore, Dark Mar¬ 
kets are highly dependent on reputation of 
vendors. This guarantees a certain amount of 
trustworthiness of the vendor. 

18. Evolution was the most popular marketplace after Silk 
Road 1 & 2 were closed by the FBI. Evolution shut down on 
March 18 2015 in an apparent 'exit scam', in which the site's 
administrators shut down their market abruptly in order to 
steal the bitcoins kept in users' escrow accounts. The admin¬ 
istrators stole Bitcoins for an estimated amount of $15 million 
USD. 
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Vendor 

S optima n 
4.956/5, 
3000'-4000 
deals 


Fig. 4. Reputation of a vendor named ‘optiman’ 
on Agora. 

It should be noted that physical items from 
other continents have a high probability of 
inspection when going through customs. In the 
European Union this results in an additional 
taxes (VAT), which may have implications to 
the succeeding delivery process. 

4 Delivery of Goods 

The delivery process is the most vulnerable 
component to the anonymity in the entire pur¬ 
chasing process. Obviously, a delivery address 
that is linked to the person's identity should 
never be used. There are two methods that 
can be used to deliver the physical goods and 
remain a high level of anonymity. 

4.1 ‘Random’ drop-off point 

This method consists of using a 'random' citi¬ 
zen as man-in-the-middle (MITM). Upon pur¬ 
chase of the goods online, an address other 
than the buyers personal address is provided 
to the vendor, with fake commonly occurring 
name. This address is the address of someone 
of which the buyer knows it exists and is able 
to locate. Preferably, this address should be of 
a person that is home often (typically aged 
or disabled people) and that is relatively easy 
reachable from the location of the buyer. Upon 
purchase, a tracking code is provided by the 
vendor. This tracking code is used to keep track 
of the delivery time of the package. As soon as 
the package is delivered at the MITM address, 
the buyer confronts the owner of the MITM 
address pretending to live on the same address, 
but with a different (but similar, pretending to 
be a typo) house number, (i.e. 11 instead of 
111). The MITM will hand over the package. 


at which point the buyer returns to its home 
address, located in a different city. 

This method however, has a few weak spots. 
It is expected that the MITM: 

• accepts the package, even though not ad¬ 
dressed to the name of the MITM. 

• is home at the moment of delivery. If de¬ 
livery at the MITM address fails, the entire 
purchase fails. 

• does not refrain from opening the package. 
Depending on the content, this could be 
fatal for the anonymity delivery, as the 
MITM may contact law enforcement. 

• can not recognise or identify the face of the 
buyer, during a possible interrogation. 

• would not ask identification upon handing 
over the package to the buyer. 


4.2 Postal office 

This method consists of using a 'random' 
postal office as man-in-the-middle. This 
method is more reliable, but hands in a level 
of anonymity and requires fake documents 
of identification, which is illegal in almost 
all countries. As in the previously described 
method, the address of a postal office together 
with a fake name, of which the buyer has 
(fake) identification, would be provided to 
the vendor. The package is delivered at the 
postal service and the buyer will retrieve 
the package, using its fake identification that 
corresponds to the recipient fake name. 

The weak spots in this method are: 

• the buyer must be in possession of a fake 
identification. 

• camera's in the postal office may reveal the 
buyers real identity. 

• the package (recipients name) is logged 
and may be used to de-anonymise the 
buyer. 

• multiple fake identities at multiple postal 
services should be used in order preserve 
anonymity. 

In this method, the postal office may be 
replaced by a third party post box service 
that allows physical pick-up of the delivered 
packages. 
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5 Costs of anonymity 

As shown in this paper, anonymity requires 
many assets that can rapidly result in a costly 
operation. In this section, a rough overview is 
given for the costs of an anonymous operation. 


Component 

Estimated cost 

Anonymous laptop 

€400 

Air-gapped 

Raspberry Pi 

€50 

Mobile phone (Nokia 
108) 

€30 

SIM card 

€10 of which half is 
credit 

Mixing bitcoins (Bit- 
mixer) 

0.5% of the total 
amount plus 0.0005 
per forward address. 


This table does not take into account com¬ 
ponents like fuel for traveling, losses in price 
fluctuations of bifcoin and foremosf, a person's 
time. 

6 Conclusion 

We have shown that it is possible to pre¬ 
serve a high level of anonymity on the In¬ 
ternet while purchasing physical goods. Good 
OPSEC practices like compartmentation and 
encrypted communication is inevitable and es¬ 
sential. Anonymity, as in security, is as strong 
as its weakest link. We have shown different 
techniques of obtaining anonymous bitcoins 
that can be used to purchase virtual services 
and physical goods. The anonymity is most 
vulnerable at the delivery process. Finally, we 
have shown that anonymity comes at a cost 
that does not make it appealing to execute. 
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